diff --git a/airootfs/etc/systemd/scripts/sysrescue-initialize b/airootfs/etc/systemd/scripts/sysrescue-initialize
index 88e743f..334af86 100755
--- a/airootfs/etc/systemd/scripts/sysrescue-initialize
+++ b/airootfs/etc/systemd/scripts/sysrescue-initialize
@@ -47,6 +47,7 @@ do
       # Option to allow user to disable the firewall
       nofirewall)
           echo "Found option 'nofirewall' on the boot command line"
+          # the firewall service(s) must be in the Before-section of sysrescue-initialize.service
           systemctl disable --now iptables.service ip6tables.service
           ;;
     esac
diff --git a/airootfs/etc/systemd/system/sysrescue-initialize.service b/airootfs/etc/systemd/system/sysrescue-initialize.service
index cfad547..03ca7ca 100644
--- a/airootfs/etc/systemd/system/sysrescue-initialize.service
+++ b/airootfs/etc/systemd/system/sysrescue-initialize.service
@@ -1,6 +1,6 @@
 [Unit]
 Description=SystemRescue Initialization
-Before=sshd.service getty-pre.target
+Before=sshd.service getty-pre.target iptables.service ip6tables.service
 Wants=getty-pre.target
 
 [Service]